Leak of >1,700 valid passwords could make the IoT mess much worse

Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet.

The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.

It is likely that criminals have been using the list for months as a means to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. Still, for most of its existence, the list remained largely unnoticed, with only some 700 views. That quickly changed Thursday with this Twitter post. By Friday afternoon, there were more than 13,300 views.

Making a bad situation worse

"There's not much new about devices standing out there with default or weak credentials," Troy Hunt, a security researcher and maintainer of the Have I Been Pwned breach notification service, told Ars. "However, a list such as we're seeing on Pastebin makes a known bad situation much worse as it trivializes the effort involved in other people connecting to them. A man and his dog can now grab a readily available list and start owning those IPs."

Further Reading

Last year, several botnets came to light that drastically increased the potency of DDoS botnets, which use thousands of computers or other Internet-connected devices all over the world to bombard a single target with more junk traffic than it can process. Security site KrebsOnSecurity, for instance, was taken down for days by attacks that delivered a then-staggering 620 gigabits per second of network traffic. Around the same time, a French Web host reported sustaining onslaughts of 1.1 terabits per second.

The botnets that made these once-unthinkable attacks possible carried names such as Mirai and Bashlight. Unlike more traditional botnets that infected Windows computers, the new generation targeted routers, security cameras, and other Internet-connected devices. According to OVH, the France-based Web host, the 1.1-terabit-per-second barrage was delivered by roughly 145,000 devices. Based on that figure, the 2,174 currently available devices in the list that came to light Thursday are capable of only a small fraction of that firepower. Still, that's enough to bring plenty of smaller sites down almost instantly.

Some of the credentials included in the list suggest that some of the devices have already been conscripted into botnets. The username-password combination mother:fucker, for instance, is used by some IoT botnets once they infect a device. Even if a device is currently infected by such a botnet, it's often possible for a rival botnet operator to seize control of it by causing it to restart, since most of the malware can't survive a reboot. The ready availability of addresses means a single device could be taken over by multiple groups.

Overall, the list included more than 33,000 records, presumably because it had been updated over time from multiple Internet scans without redundant entries being removed. Some IPs in the list showed more than one username-password pair, either because that device had more than one account or because the device had been infected by malware on subsequent scans.

The list was posted by someone who has previously published a host of valid log-in credentials and botnet source code that has proven useful to security professionals, Ankit Anubhav, a researcher with NewSky Security, told Ars. While some of the exposed passwords had been changed, even those remained weak enough to be deduced using brute forcing, a technique that repeatedly submits the most commonly used usernames and passwords into telnet-accessible devices in hopes of guessing the right combination. The vast majority of the 144 unique pairs, however, were factory-default credentials. The top 10 passwords, as tallied by Anubhav, were:

admin—4,621

123456—698

12345—575

xc3511—530

GMB182—495

Zte521—415

password—399

oelinux123—385</li

jauntech—344

1234—341

Of those, all but one—GMB182—were factory default passwords. GMB182 has often been used in the past by botnet malware.

Meanwhile, Gevers said the top five username-password combinations were:

root:[blank]—782

admin:admin—634

root:root—320

admin:default—21

default:[blank]—18

People who use routers, cameras, and other IoT devices are reminded that remote access should be enabled only when there is good reason, and then only after changing default credentials to use a unique, randomly generated password, ideally of 12 or more characters, or assuming the device doesn't allow that, one as long as possible. Even when remote access is disabled, people should always ensure the default password is replaced with a strong one.

Gevers said he and other GDI Foundation volunteers are in the process of contacting as many currently affected host owners as possible in an attempt to lock down the vulnerable devices. Given the IoT's deserved reputation for poor default security and the lackadaisical approach many users have for securing their devices, there almost certainly are tens of thousands of other vulnerable devices that can be easily detected doing a simple Internet scan.